Slashdot Mirror

← Back to Stories (view on slashdot.org)

IE7 to be Pushed to Users Via Windows Update

Posted by ryuzaki0 on from the have-some-explorer dept.

dfrick writes "CNET is reporting that IE7 will be pushed to users via Windows Update. This has serious implications for e-commerce websites whose functionality might be affected by any bugs in the software. Also to have end users suddenly using a new browser right before the holiday shopping season could magnify the cost any bugs that might create a bad user experience on sites."

9 of 608 comments (clear)

  1. Another Get Firefox day coming soon... by WinEveryGame · · Score: 5, Insightful

    Well we just celebrated the Get Firefox day. Perhaps the day IE7 gets pushed via Windows update would be yet another Get Firefox day.

    1. Re:Another Get Firefox day coming soon... by voice_of_all_reason · · Score: 5, Insightful

      Whoa, let's not get crazy here. Now, I like firefox as much as the next reasonably intelligent computer user. But it's got a memory footprint like the goddamned Galactus. It is literally the beast that cannot be fed. Firefox operates like a beowulf cluster dividing by zero simultaneously.

      //has seen it easily use u[ 1.5gb+ of ram before.

    2. Re:Another Get Firefox day coming soon... by giorgiofr · · Score: 5, Insightful

      ActiveX controls. Some people might, you know, want to use them.

      --
      Global warming is a cube.
    3. Re:Another Get Firefox day coming soon... by giorgiofr · · Score: 5, Insightful

      Frankly, I've never understood the demonizing of ActiveX technology. Actually, I've never even understood why people seem to concentrate only on the embedded controls in MSIE when ActiveX is about COM integration on the whole Win32 platform... Anyway, assuming we only care about browsers: the reason why you might want ActiveX is the same why you might want plugins or extension: to make the browser do something MORE than render (D)HTML. Unless you also hate Java applets, plugins, FF extensions and Opera widgets, how can you hate ActiveX? Its only problem is that people blindly click on "Yes please install this dialer". How is that a tech problem? I call PEBKAC! Besides, when a java applet pops up and asks for permission to elevate its privileges, how come that's good and holy, yet when an ActiveX control does the same that's so disgusting?
      All this coming from someone who DOES dislike the my-broswer-makes-coffee-too mentality so common today. But really, why do you single ActiveX out?

      --
      Global warming is a cube.
    4. Re:Another Get Firefox day coming soon... by steve_l · · Score: 5, Insightful

      1. I dont let java code escalate its privileges. Its got a sandbox, stay in it. Actually, I dont even enable java in the browser.

      2. I actually discovered one of the first activeX security holes, way back in 1999.

      The problem with AX is that it is really Ole Controls, OCX, upgraded for the internet era. OCX was nice, a version of Visual Basic (VBX) controls that was language neutral. Their goal was to make it easy for anyone to embed their controls inside their apps, and so have fancy apps with less coding. Classic Java Beans were sun's ill-fated attempt to copy this. VBX and OCX were probably the enablers of the best market in re-usable client-side components. Want fancy reports in your app? Crystal Reports OCX. Want good database access? Use the db access controls that ship from MS. OCX was a really nice design.

      The trouble with ActiveX was that they turned the web browser into a container, with the ability to download and run any activeX control. By default, all OCXs that are installed on a PC are enabled for use in IE, even though they were never written for the assumption that their caller was trusted. There's nothing wrong with an OCX to be embedded inside a C++ app letting you open files in the local filesystem. delete files there, overwrite things. But have some random javascript do that and your box is owned. Most emergency patches by MS and PC manufacturers is for built in controls. to mark them as unsafe for scripting, or to mark them as revoked.

      Failing one: ActiveX is only secure if the controls are designed to be called by untrusted people. Even if the controls arent scripted, they can still take params which can be malicious and read/write illegitimate files. Example: windows media control lets you pass in a path in the local filesystem. Script doesnt have access to the contents, but you can work out if the file is present or not. It is leaking information.

      Auto control download is the other problem. AX controls are pulled down, their signature verified. There is no sandbox, so the system is built entirely on the model that the people who write the controls are well meaning. The spyware industry showed the lie for that.

      Failing two: there is no sandbox for control.

      Now, for a few hundred dollars verisign will sell a cerificate in the name "Microsoft requires you to install this component.ltd" and that is what appears on the click-here-to-be-0wned dialog.

      Failing three: the vendors of certificates are more interested in certificate sales fees than the safety of the box. If verisign took some financial hit for every bit of spyware they signed off, things would be different.

      AX controls are usually written in C++, which is one of the C/C++ family of 'buffer overflow enabled' languages. I know I always get marked down for flame baiting when I say that, but the truth is while compentent people can write really secure code in C/C++ (eg. Apache HTTPD, openSSH), too many developers are in a hurry that ship something that just about works on the deadline required. Because AX controls are not in a sandbox, every single attribute and method has to be treated as something that a malicious piece of javascript can call.

      Failing four: the lack of a sandbox forces AX developers to write secure code, and they don't appear up to the job.

      If you find a security hole in an active x control, it can be rereleased, a new .cab file produced and the web pages marked so that IE will update to a later version. Sound good? No. You can push out any old version of an activeX control up by serving it out and using a version marker of -1,-1,-1,-1, meaning "always update". This makes it impossible for anyone to ever reliably stop an insecure AX control from being served up. The only way to do this is by adding the control to the "do not run" list in the registry, a registry that is fault of myself and richard smith.

      failing 5: its nearly impossible to stop malicious sites pushing out buggy versions of other people's AX controls.

  2. Good... by Anonymous Coward · · Score: 5, Insightful

    "Also to have end users suddenly using a new browser right before the holiday shopping season could magnify the cost any bugs that might create a bad user experience on sites"

    I for one welcome this. IE6 sucks. Badly.

    IE7 has a few problems, but the faster IE6 dies, the better.

    This and as a web developer, I hope the bugs associated with pushing this app out will create a bad user experience and force developers that rely on hacks and nonstandard practices to get screwed over. I've had several sites I use not work with IE7 and the simplest has been because their simple javascript that detects IE versions tells me I need to use IE5.5 or greater. I've had others not work with the activeX controls because of new security models (or so I imagine).

    The sooner developers move towards standards the better. IE7 is a good push towards this goal, and having it pushed out buggy and forcing developers to address the idiotic IE Only Features is just another milestone on this route.

  3. What's the problem? by jaronc · · Score: 5, Insightful

    Maybe I'm missing something, but I'm not sure I understand the doom and gloom of the post? It is an update afterall. And a lot of what I've read online has been positive towards 7 over 6. On top of that, the article pushes that you don't have to install it if you don't want to.

    As for the ecommerce sites being broken, it's not like they haven't had time to check to make sure their sites work in the new version. When the first beta came out, even I checked to see if there were any problems with my sites. I didn't fix them straight away, but I made sure to note down where the issues were for later repair.

  4. Re:Developers by ozmanjusri · · Score: 5, Insightful

    Oh dear, somebody who doesn't understand how the internets work. Here, this is a good start. http://www.w3.org/

    --
    "I've got more toys than Teruhisa Kitahara."
  5. Re:Developers by PintoPiman · · Score: 5, Insightful

    More like someone who is realistic and knows that all browsers have their quirks I would say personally. Not all quirks are created equal. IE is so far behind the modern browsers in implementing standards like CSS that they're no longer even in the ballpark. With the newer browsers rev'ing so much faster than IE, I don't think they'll even be in the same league for long.

    The argument here isn't idealistic or puritanical or religious - it's practical. CSS allows web developers to effectively separate content and presentation, which in turn allows for more efficient development. It's not about laziness either. We web developers have finite time. We either spend that time working on new features/content/layouts/whatever, or chasing down 4 year old bugs in IE.

    Take as an example a group of mechanical engineers plotting designs for a car. Group A favors one brand of mechanical pencils. Group B favors another. An astute engineer might attempt to settle the matter as you do: "all mechanical pencils have their quirks." Unfortunately, group C is using crayons that are worn nearly to the nub. IE is a crayon that is worn quite to the nub.

    To write off the pitiful state of IE's HTML, CSS and javascript support as "quirks" is to let MS off the hook. They leveraged their monopoly and "won" the browser wars. Having done so, it appears that they intend to use their dominant browser in order to defend their Big Two products by retarding the progress of web technologies indefinitely.

    As a side note, why does "realist" now refer to people who give up on ethics (and other such long term concerns) for short-run gains?